b'                      ADVISORY MEMORANDUM REPORT\n                         ON DEVELOPMENT OF THE\n                        LOAN MONITORING SYSTEM\n\n                       ADVISORY REPORT NUMBER A1-03\n\n                                    FEBRUARY 23, 2001\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and must not\nbe released to the public or another agency without permission of the Office of Inspector General\n\x0c                                U.S. Small Business Administration\n                                    Office of Inspector General\n                                      Washington, DC 20416\n\n\n                                                                 Advisory Memorandum Report\n                                                             Issue Date: February 23, 2001\n                                                             Report Number: A1-03\n\n\nTO:               Kris Marcy, Chief Operating Officer\n\n\nFROM:             Robert G. Seabrooks, Assistant Inspector General for Auditing\n\nSUBJECT:          Development of the Loan Monitoring System\n\n        The Office of Inspector General, Auditing Division, is conducting an ongoing evaluation of the\ndevelopment of SBA\xe2\x80\x99s Loan Monitoring System (LMS). We are conducting this evaluation because of\nthe importance of LMS to SBA\xe2\x80\x99s strategic goals and because of the complexities and risks associated\nwith large system development projects like LMS. This is the first of a series of reports we plan to issue\nas project milestones are reached or significant concerns arise.\n\n         LMS is an integral part of SBA\xe2\x80\x99s Systems Modernization Initiative (SMI) \xe2\x80\x93 a multi-year, multi-\nmillion dollar effort to overhaul the Agency\xe2\x80\x99s information systems and processes. LMS is intended to\nprovide the information and tools needed to enable the Agency to more effectively and efficiently\nmanage risk, perform lender oversight, manage the loan portfolio and collect data for subsidy rate\ncalculations.\n\n\n                                          OBJECTIVE AND SCOPE\n\n         The objective of our ongoing evaluation is to determine the LMS project\xe2\x80\x99s adherence to SBA\xe2\x80\x99s\nrecently adopted System Development Methodology (SDM).1 The LMS project recently reached a\nmajor milestone when the first SDM phase, \xe2\x80\x9cInitiate Project,\xe2\x80\x9d was completed. This report provides the\nresults of our review of two \xe2\x80\x9cInitiate Project\xe2\x80\x9d phase deliverables: (1) the \xe2\x80\x9cLMS Project Plan\xe2\x80\x9d dated\nMay 2000 and (2) the \xe2\x80\x9cLMS Security Risk Analysis\xe2\x80\x9d dated September 2000. The report also\nprovides our findings regarding project management documentation, the quality assurance function, and\n\n\n1\n The SDM is a set of management controls intended to ensure the success of information system development\nprojects. It describes activities and deliverables to be completed in the following phases: Initiate Project, Define\nSystem, Design System, Build System, Evaluate System, and Operate System.\n\x0cacquisition planning. Our evaluation is based on review of documents, attendance at meetings, and\ninterviews with people involved with the LMS development project.\n\n\n                                                      RESULTS\n\n        This report addresses the need to: (1) update the LMS Project Plan, (2) expand the LMS\nSecurity Risk Assessment as systems assets are defined, (3) document and distribute project status\nreports and the results of meetings and reviews, (4) strengthen the quality assurance function, and (5)\nstrengthen acquisition planning.\n\n\nFinding 1: The LMS Project Plan Needs to be Updated.\n\n        Development of a project plan is one of the SDM requirements in the \xe2\x80\x9cInitiate Project\xe2\x80\x9d phase.\nIn May 2000, SBA completed the \xe2\x80\x9cLMS Project Plan\xe2\x80\x9d to \xe2\x80\x9cidentify the essential steps needed to serve\nas a basis for the acquisition or development and implementation LMS.\xe2\x80\x9d The plan is not current. The\nplan should be updated to reflect system acquisition decisions and other accomplishments. Updating is\nrequired by the following sections of the LMS Project Plan:\n\n           Section 3.2.2, LMS Milestones: It is only after collecting market survey data\n           collected from the Request for Information (RFI) process that the project team\n           will have enough information to fully identify, document and solidify the\n           acquisition strategy. At this point in the project, a decision is made whether to\n           proceed with the COTS/GOTS2 and/or development approach. The project plan\n           will be revised to reflect the choice. A large systems integration effort that\n           combines COTS/GOTS approaches with software development is viewed as the\n           most cost effective and least risky. [emphasis added]\n\n           Section 3.2.3 Updating the LMS Plan: As called for in the SDM, the Project Plan\n           and System Decision Paper will be updated to reflect the results of decisions\n           made.\n\n\nRecommendation\n\n1.         We recommend that the LMS Project Plan be updated to reflect recent system acquisition\n           decisions, and a process be developed to ensure the project plan is updated periodically in\n           accordance with SDM requirements.\n\n\n\n2\n    Commercial off-the-shelf / Government off-the-shelf\n\n\n                                                          2\n\x0cSBA Management\xe2\x80\x99s Response\n\n         Agree. The LMS Project Plan is currently being revised to reflect the change in\nacquisition strategy. The revised plan also will reflect that the OCIO considers itself to be a\nsoftware acquisition group not a system development group. There is a significant difference\nbetween these as identified by the Software Engineering Institute\xe2\x80\x99s (SEI) Capability Maturity\nModels. The revised project plan will be ready for review in early March. The LMS project\nmanager will continue to update the project plan as required.\n\n       In addition, the SMI team has developed a draft project management methodology that\nprovides more detailed guidance on project management than SDM does.\n\n\nOIG Evaluation of Management\xe2\x80\x99s Response\n\n        The reply is responsive to the recommendation.\n\n\nFinding 2: The LMS Security Risk Analysis Should be Expanded as System Assets\n            are Identified.\n\n        The SDM also requires completion of a risk analysis for system security in the \xe2\x80\x9cInitiate Project\xe2\x80\x9d\nphase. Accordingly, in September 2000, SBA completed the \xe2\x80\x9cLMS Security Risk Analysis.\xe2\x80\x9d We\npreviously provided comments and recommendations on this analysis, and all of our recommendations\nwere incorporated into the final document. To the extent possible, the analysis was developed in\naccordance with the SDM. It does not, however, include a vulnerability assessment for LMS assets,\nbecause, as pointed out in the Scope (Section 1.1) of the risk analysis, LMS assets have not yet been\ndefined:\n\n        The assets that comprise the LMS system have not yet been defined, and therefore\n        the asset definition sections of this document are yet to be developed.\n\nThe assets that have not yet been defined include hardware (and its location), software, and information\nassets.\n\n\nRecommendation\n\n2.      We recommend the Security Risk Analysis be expanded as system assets are identified.\n\n\n\n\n                                                    3\n\x0cSBA Management\xe2\x80\x99s Response\n\n        Agree. The assets that comprise the LMS have not yet been fully defined; therefore,\nthe asset definition and risk analysis can not be completed. Assets can not be defined until the\nsuccessful completion of the competitive procurement for system design and systems integration\nservices. At the appropriate time, the Security Risk Analysis will be revised.\n\n\nOIG Evaluation\n\n       The reply is responsive to the recommendation.\n\n\nFinding 3: The LMS Project has not Fully Complied with SDM Project Control and LMS\n            Project Plan Requirements.\n\n        One of the \xe2\x80\x9cProject Control\xe2\x80\x9d requirements in the SDM is reporting project status. The LMS\nproject has not generated project status reports in accordance with this requirement. The objectives of\ntracking and formally reporting project status are to:\n\n       \xe2\x80\xa2   Provide a consistent technique for monitoring progress against plan.\n       \xe2\x80\xa2   Identify problems quickly to allow maximum time for corrections.\n       \xe2\x80\xa2   Provide an objective rather than subjective evaluation of status.\n       \xe2\x80\xa2   Give the project sponsor, users, support organizations, senior management, and other\n           reporting levels timely information.\n       \xe2\x80\xa2   Provide a managerial evaluation rather than just raw facts.\n\n       Section 3.5 of the LMS Project Plan, \xe2\x80\x9cProject Review and Document Approval Process,\xe2\x80\x9d\nprovides:\n\n       Project milestone reviews will be conducted by the LMS Project Team members,\n       facilitated by the LMS QA function, and the results presented to Senior SBA\n       Executives via a QA report. [emphasis added]\n\nResults of the first project milestone review were not presented to Senior SBA Executives via a QA\n(Quality Assurance) report.\n\n         Section 3.5 of the LMS Project Plan, Project Review and Document Approval Processes,\nfurther provides:\n\n       The project review process is an integral component of project meetings that are\n       scheduled and conducted regularly (weekly, bi-weekly). The Project Manager will\n       conduct these meetings where activities are reviewed and discussed. In the\n\n\n                                                   4\n\x0c       weekly team meeting, project decisions are made, communicated and\n       documented. The content of the discussion will be documented as meeting\n       minutes and distributed to team members and appropriate stakeholders. The\n       meeting minutes will also be stored in the LMS Project Library, which houses all\n       project artifacts. The review and approval processes continue throughout the life\n       cycle of the LMS project and involve the CM Manager who places appropriate\n       artifacts under CM control. [emphasis added]\n\n         LMS and SMI meetings are regularly held, and because LMS is a major component of SMI,\ndecisions affecting LMS development are made at SMI meetings. Minutes of LMS and SMI meetings\nhave not always been taken and distributed to team members and appropriate stakeholders. The\ndistribution of a summary of topics discussed at each regularly scheduled LMS and SMI team meeting\nalong with decisions reached and specific actions to be taken \xe2\x80\x93 by whom and when \xe2\x80\x93 would enhance\ncommunications and help avoid misunderstandings.\n\n\nRecommendation\n\n3.     We recommend compliance with SDM Project Control and LMS Project Plan requirements for\n       reporting status and communicating the results of project meetings and reviews.\n\n\nSBA Management\xe2\x80\x99s Response\n\n        Agree. The SMI Project Director recently established monthly status reporting for all\nSMI projects. The LMS Project Manager submits monthly status reports to the SMI Project\nDirector. In addition, all SMI projects, including the LMS project, have improved project\ncommunications through the use of meeting minutes that are distributed via e-mail or web-site.\nSMI project managers will continue to improve their status reporting and project communication\nskills.\n\n\nOIG Evaluation of Management\xe2\x80\x99s Response\n\n       The reply is responsive to the recommendation.\n\n\nFinding 4: A More Formal and Larger Quality Assurance (QA) Group Is Needed\n\n       According to Quality Assurance Guidelines in SDM:\n\n       The key activities of a QA program are:\n\n\n\n                                                  5\n\x0c        \xe2\x80\xa2   To provide SBA management visibility into the software development and\n            maintenance process.\n        \xe2\x80\xa2   To perform reviews and audits of software products being built (software\n            and documentation).\n        \xe2\x80\xa2   To review adherence to established processes, standards, and procedures for\n            development and maintenance. [emphasis added]\n\n        The project QA group provides the project and appropriate managers with the\n        results of these reviews and audits.\n\n        . . . The QA group continuously reviews project activities and audits software\n        work products throughout the lifecycle. [emphasis added]\n\n        QA must be part of every project, although the formality and size of the QA\n        function will vary from project to project. For example, rigid system\n        requirements, large project teams, and systems with increasing complexity may\n        require a more formal, larger QA function than would a smaller, less complex\n        project consisting of only two or three developers. As a result, one project with\n        one or two developers may have a QA staff member assigned to that project part\n        time only, while another project of 20 developers may have a QA staff member\n        assigned to that project full-time. Typically, the QA staffing level would be\n        approximately 3 to 5 percent of the total project staffing level. [emphasis added]\n\n         A Quality Assurance Manager has been designated for LMS to perform these functions. This\nperson is also the LMS Configuration Manager, the LMS Information Security Specialist, and has\nvarious other responsibilities. In our opinion, part time staffing for the LMS quality assurance function is\ninsufficient considering the size and complexity of the LMS project.\n\n\nRecommendation\n\n4.      We recommend establishment of a more formal and larger LMS Quality Assurance group as\n        called for in the SDM Quality Assurance Guidelines within SBA\xe2\x80\x99s Systems Development\n        Methodology.\n\n\nSBA Management\xe2\x80\x99s Response\n\n       Agree. Quality Assurance resources are needed for both LMS and at the OCIO level\nto ensure adequate adherence to established processes, standards, and procedures for\ndevelopment and maintenance. Part time staffing for the LMS is insufficient. Currently, each\nstatement of work for LMS prototyping requires quality assurance (QA) and configuration\n\n\n\n                                                     6\n\x0cmanagement (CM) activities by the contractor. In addition to contractor efforts, the LMS team\nperforms QA and CM.\n\n         Recruitment for a Quality Assurance Project Manager is in progress. The job has been\nadvertised and has closed. Interviews are on hold until the hiring freeze is lifted. In addition,\nefforts to obtain contract QA and CM support are underway.\nOIG Evaluation of Management\xe2\x80\x99s Response\n\n        The reply is responsive to the recommendation.\n\n\nFinding 5: Acquisition Planning Needs Improvement.\n\n       The Federal Acquisition Regulation (FAR) requires agencies to perform acquisition planning and\nconduct market research for all acquisitions (see FAR 7.102(a)). Acquisition planning is defined at\nFAR 7.101 as a process:\n\n        \xe2\x80\x9cAcquisition planning\xe2\x80\x9d means the process by which the efforts of all personnel\n        responsible for an acquisition are coordinated and integrated through a\n        comprehensive plan for fulfilling the agency need in a timely manner and at a\n        reasonable cost. It includes developing the overall strategy for managing the\n        acquisition.\n\nGeneral procedures for acquisition planning are provided at FAR 7.104:\n\n    (a) Acquisition planning should begin as soon as the agency need is identified,\n        preferably well in advance of the fiscal year in which contract award is necessary.\n        In developing the plan, the planner shall form a team consisting of all those\n        who will be responsible for significant aspects of the acquisition, such as\n        contracting, fiscal, legal, and technical personnel. The planner should review\n        previous plans for similar acquisitions and discuss them with the key personnel\n        involved in those acquisitions. At key dates specified in the plan or whenever\n        significant changes occur, and no less often than annually, the planner shall\n        review the plan and, if appropriate, revise it. [emphasis added]\n\n    (b) Requirements and logistics personnel should avoid issuing requirements on an\n        urgent basis or with unrealistic delivery or performance schedules, since it\n        generally restricts competition and increases prices. Early in the planning process,\n        the planner should consult requirements and logistics personnel who determine\n        type, quality, quantity, and delivery requirements.\n\n    (c) The planner shall coordinate with and secure the concurrence of the contracting\n        officer in all acquisition planning. If the plan proposes using other than full and\n\n\n                                                   7\n\x0c        open competition, the plan shall also be coordinated with the cognizant\n        competition advocate.\n\n         SBA has not followed all of these procedures. Although procurement of a COTS (commercial\noff-the-shelf) package was expected from the beginning of the project, an acquisition planning team has\nnot been established, a written acquisition plan has not been developed, and there is no overall strategy\nfor managing the acquisition.\n\nRecommendation\n\n5.      We recommend that an acquisition team be formed to conduct acquisition planning as described\n        in the FAR. The team should consist of all those who will be responsible for significant aspects\n        of the acquisition, such as contracting, fiscal, legal, and technical personnel. The team should be\n        given adequate time to develop an acquisition strategy for LMS and develop a written\n        acquisition plan.\n\n\nSBA Management\xe2\x80\x99s Response\n\n         The OIG findings are not totally correct. A formal LMS Acquisition Strategy was\nestablished in February 2000, has been revised as needed, and is currently under revision to\nreflect a new strategy.\n\n         Recently, an LMS acquisition team was formed at the request of the SMI Project\nDirector. The team is composed of representatives from the offices of the Chief Information\nOfficer, Chief Financial Officer, Capital Access, Procurement and Grants Management, and the\nGeneral Counsel. Representatives from other programs will be added as needed. The\nAcquisition Team has been tasked with the responsibility to develop a written acquisition plan,\nfinalizing the SOW [statement of work], and following through until a contract is successfully\nawarded.\n\n\nOIG Evaluation of Management\xe2\x80\x99s Response\n\n        Management\xe2\x80\x99s disagreement with our finding that there is no overall strategy for managing the\nacquisition of a COTS package for LMS is based on a document titled \xe2\x80\x9cLoan Monitoring System\nAcquisition Strategy.\xe2\x80\x9d As pointed out in management\xe2\x80\x99s response, the document is not current.\n\n        Management\xe2\x80\x99s planned actions to update the LMS Acquisition Strategy and have the LMS\nAcquisition Team develop a written acquisition plan are responsive to the recommendation.\n\n\n                                               *****\n\n                                                    8\n\x0c        The findings included in this report are the conclusions of the Office of Inspector General\xe2\x80\x99s\nAuditing Division. The findings and recommendations are subject to review, management\ndecision, and corrective action by your office in accordance with existing Agency procedures\nfor audit follow-up and resolution.\n\n        Please provide us your management decision for each recommendation within 30 days. Your\nmanagement decisions should be recorded on the attached SBA Forms 1824, Recommendation Action\nSheet, and show either your proposed corrective action and target date for completion, or explanation\nof your disagreement with our recommendations.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg, Director,\nBusiness Development Programs Group at (202) 205-7577.\n\nAttachments\n\n\n\n\n                                                  9\n\x0c                                                                                                                  ATTACHMENT 1\n\n\n                                                  REPORT DISTRIBUTION\n\n\nRecipient                                                                                          Number of Copies\n\nAssociate Deputy Administrator for Management & Administration ..............................1\n\nAssociate Deputy Administrator for Capital Access .....................................................1\n\nChief Information Officer .............................................................................................1\n\nChief Financial Officer .................................................................................................1\n   Attention: Jeff Brown\n\nGeneral Counsel ..........................................................................................................2\n\nGeneral Accounting Office............................................................................................1\n\x0c'